0

I have a server which is barely 4 months old and already a process is running to "spam" people. this is baffling as I have a secure password and have never given it to anyone. I am taking the following action:

  1. Changed root password
  2. When I search the web for Exim, it seems to be closely tied with cPanel - I am searching how to remove that and really don't believe I need it for the cost anyway
  3. For now I did yum remove exim and rebooted. Don't really use or get that much email.

Below is a transcript of some mail logs from /var/log/exim_mainlog - logging successfully stopped after I removed exim.

My question now is, how to find the process that was running and sending these emails out? Is it a CRON process? If so how to find it (knowing cPanel is probably what configured cron)? If not a cron job what else could it be?

Again here are some of the logs:

2017-01-09 12:33:59 1cQZ98-0003I9-TB [211.29.133.14] SSL verify error: depth=0 error=unable to verify the first certificate cert=/C=AU/ST=New South Wales/L=Macquarie Park/O=Optus Administration Pty Ltd/OU=Internet Services Engineering/CN=*.optusnet.com.au
2017-01-09 12:33:59 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:33:59 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:00 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:00 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:00 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:01 1cQZ98-0003I9-TB => somebody1@optusnet.com.au R=dkim_lookuphost T=dkim_remote_smtp H=extmail.optusnet.com.au [211.29.133.14] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 Ok: queued as 3ED27D4A54F"
2017-01-09 12:34:01 1cQZ98-0003I9-TB Completed
2017-01-09 12:34:01 SMTP connection from (mail.compasspointmedia.com) [120.194.186.99]:1841 closed by QUIT
2017-01-09 12:34:01 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:01 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:01 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:02 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:02 1cP42S-0001RJ-5L SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:02 1cP42S-0001RJ-5L == somebody2@yahoo.com R=dkim_lookuphost T=dkim_remote_smtp defer (-45) H=mta7.am0.yahoodns.net [66.196.118.34]: SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1789: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:02 1cP42S-0001RJ-5L ** somebody2@yahoo.com: retry timeout exceeded
2017-01-09 12:34:02 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1cP42S-0001RJ-5L
2017-01-09 12:34:02 1cQZ9G-0003Lb-Pr <= <> R=1cP42S-0001RJ-5L U=mailnull P=local S=2639 T="Mail delivery failed: returning message to sender" for myuser@mysite.com
2017-01-09 12:34:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cQZ9G-0003Lb-Pr
2017-01-09 12:34:02 1cP42S-0001RJ-5L Completed
2017-01-09 12:34:04 1cQZ9G-0003Lb-Pr => sfullman <myuser@mysite.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <myuser@mysite.com> sdFAMzqDc1hTMQAAvYvy0A Saved"
2017-01-09 12:34:04 1cQZ9G-0003Lb-Pr => |/usr/local/cpanel/bin/autorespond myuser@mysite.com /home/cpm006/.autorespond (myuser@mysite.com) <myuser@mysite.com> R=virtual_aliases_nostar T=jailed_virtual_address_pipe
2017-01-09 12:34:04 1cQZ9G-0003Lb-Pr Completed
2017-01-09 12:34:05 1cP34S-0006lf-BI SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1799: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
2017-01-09 12:34:05 1cP34S-0006lf-BI SMTP error from remote mail server after MAIL FROM:<myuser@mysite.com> SIZE=1799: 421 4.7.0 [TSS04] Messages from 99.99.9.20 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
Oliver Williams
  • 286
  • 1
  • 3
  • 13
  • does your server run any mail server program? – Sum1sAdmin Jan 09 '17 at 13:25
  • per my post, I was running Exim. I executed `yum remove exim` and confirmed it was removed, and that the /var/log/exim_mainlog was no longer being written to – Oliver Williams Jan 09 '17 at 13:26
  • then I would guess that when it was running it was not configured and was open relay https://en.wikipedia.org/wiki/Open_mail_relay – Sum1sAdmin Jan 09 '17 at 13:36
  • Are you absolutely sure there is a local process sending those mails? This is not apparent from the log snippet in the post. And by the way, exim is not tied to cPanel in any way -- you can use exim without having cPanel. – Lacek Jan 11 '17 at 14:34

0 Answers0